The education sector was already dealing with a vast array of critical issues, including a lack of resources, a shortage in staff and training, and a scarcity of funding. Then COVID-19 hit. This forced massive upheaval and disturbance to the methods used to teach and for pupils to learn. The situation involved a speedy move to remote working and the re-evaluation of the systems and processes in place for many years.
This sudden shift has left the industry exposed.
Overnight, and on top of the usual logistics of the academic year, the education system had to abruptly revaluate everything that it knew, to continue teaching the minds or our future, to safeguard students, employees, data and intellectual property.
“Few institutions appeared to have a risk management strategy in place that would allow them to respond to a pandemic, particularly the capacity to offer online programs and support when the crisis hit,” said Frans van Vught, joint project leader of the university ranking system U-Multirank
It does not come as a shock that the majority of schooling systems, if not all, were underprepared for such a transition. If we look back from January 2020, few could have predicted what would evolve. In response, and in a bid to uphold some level of continuity, new rules have been implemented, new systems put in place, and new guidelines for teaching and learning have been made. But these rules differ from country to country, institution to institution, and the structure and clarity have been lost along the way. It is exactly this, the ambiguity of the entire situation, that cybercriminals are taking advantage of.
The methods used by attackers are sophisticated, and attacks against the industry are increasingly aggressive. From ransomware to malware, headlines with the latest breaches and threats (like the recent Blackbaud hack) are strewn across the news. And what is shouted about in print presents only a fraction of the real issues that this sector is facing.
“Not only have I seen the number of attacks in the education industry rise over the course of 2020 and 2021, but I have personally dealt with such an attack. The school of a family member of mine was recently hacked. The hacker got into the database of the school. This database was then ex-filtrated, and the bad actor impersonated the accounts receivable. This meant that many of those on the parent's list, that the attacker now had access to, fell for the scam. This resulted in the school having to reimburse the parents, costing the school thousands of pounds. And these threats and attacks are far from rare. Many do not make it to the news. With each successful attack costing thousands of pounds in the process,” explained Feras Tappuni, the CEO of SecurityHQ, a global MSSP located in the UK that monitors networks 24/7, to ensure complete visibility and protection against cyber threats.
The education sector will always be a prime target to hackers. Mainly because the attack surface is so large. The sheer size of the industry, and with it the potential of great financial gain, data theft and espionage, makes it a prime target for cybercriminals. And anyone, from students to employees, faculty members and third-party providers is a prospective target.
The larger the attack surface, the more likely the investment of time and resources into an attack will be fruitful. In the UK alone, there are over 2.3 million students in education and just under half a million staff in higher education. With such a large attack surface, realistically there has to be a weak link somewhere.
Other industries, such as the telecommunication or Financial sector are obvious targets because of the wealth and power they hold. But take away the fact that the education industry, like many others, is large, what is the real gain behind hacking a student or employee account?
From kindergarten to postgrad, every education-based organization holds a wealth of data. This data includes a range of private and personal information, including addresses, telephone numbers, full names, sensitive data such as medical records, personal requirements, and much more.
Once collected and pilfered, this information can be sold and used to exploit individuals or whole schools at a time. If sensitive data is acquired, it can also be used as a bargaining tool within a ransomware attack.
Not only is a successful ransomware attack financially beneficial to the attacker, but direct attacks into payment systems are also prevalent.
Student fees are a large part of the university and private schooling systems. With the average student paying over £9000 a year on their education (more than $12,000 U.S.), disregarding the additional costs of living arrangements paid into a singular faculty connected account, and with over 2.3 million students in the UK alone at university, the financial gain of targeting university systems and the financial third parties associated, is fruitful.
The majority of payments are made in lump sums, via university online portals. If a bad actor can infiltrate this portal or create a phishing campaign to trick the user into sending the money to the wrong account, the benefits are huge.
According to a 2020 article in Forbes regarding financial aid fraud, “cybercrime specialists at the FBI noted one specific campaign that stole tens of thousands of dollars from students back in 2018. Since then, they’ve reported on multiple other campaigns targeting universities and student bodies all over the country.”
Universities hold valuable and influential intellectual property. Depending on the nature of the data stolen, espionage often takes place as a result. Research within medicine and engineering, in particular, can provide valuable insights which can then be used in the following three ways.
1) To understand the developments of a certain subject/project. This data can then be sold to competitors or nation-state actors to influence economic, social or political change.
2) Individuals/researchers/departments can be held to ransom in return for their valuable data. Often the process of stopping research can be more costly than the demand made.
3) Researchers can be restricted to access their own data. By making it possible to hide or restrict the user's own information, development in a particular field (COVID-19 related research for instance) can be halted.
Alongside Nation State Actor and espionage, attacks are Distributed Denial-of-Service (DDoS) attacks. These attacks intend to infiltrate a weak network, flood this network, target a host and cause disruption to impact productivity and, in essence, stop or crash systems. The attack is hard to contain, as it is often maid from multiple sources. The motives behind such an attack can range from a personal vendetta against a specific organization, the means to slow down an organization to cost them time and money, or to work as a distraction to allow for other infiltrations to be made.
How to Reduce Threats
To safeguard student data, research, processes and finance, schools must put in place strategies to mitigate cyber threats.
To do this, security patches must be maintained, and protocols to defend and test environments should be utilized. Visualize and understand malicious or anomalous activity, analyze, prioritize, and respond to threats quickly. This means that the only way to safeguard data, students, employees, and processes is with Managed Detection & Response.
Not only should technical strategies be put in place, but internal training for all students and staff must actively be encouraged. Especially with regards to ransomware and phishing. Educating students about cyber risks and knowing how to recognize threats and safeguard devices will instill a culture of awareness.